Fix CodeQL warnings (#8663)

wiktork · web-flow · commit 792ebdd7866a · 2025-10-22T00:53:34.000Z
diff --git a/eng/release/DiagnosticsReleaseTool/Common/AzureBlobPublisher.cs b/eng/release/DiagnosticsReleaseTool/Common/AzureBlobPublisher.cs
@@ -44,10 +44,10 @@ private TokenCredential Credentials
                 if (_clientId == null)
                 {
                     // Local development scenario. Use the default credential.
-                    return new DefaultAzureCredential();
+                    return new DefaultAzureCredential(); // CodeQL [SM05137] This is not a security issue as this is for local development only. 
                 }
 
-                return new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = _clientId });
+                return new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = _clientId }); // CodeQL [SM05137] This is not a security issue since this is only used for pipeline builds.
             }
         }
 
diff --git a/src/Extensions/AzureBlobStorage/AzureBlobEgressProvider.cs b/src/Extensions/AzureBlobStorage/AzureBlobEgressProvider.cs
@@ -394,7 +394,7 @@ private static TokenCredential CreateDefaultCredential(AzureBlobEgressProviderOp
                 credOptions.ManagedIdentityClientId = options.ManagedIdentityClientId;
             }
 
-            return new DefaultAzureCredential(credOptions);
+            return new DefaultAzureCredential(credOptions); // CodeQL [SM05137] Guidance here is to ensure that credential lookup is deterministic by using an environment variable. We accomplish this through settings and only including Managed Identity and Workload credentials, and do not want to introduce a breaking change.
         }
 
         private static DefaultAzureCredentialOptions GetDefaultCredentialOptions() =>

Original file line number	Diff line number	Diff line change
`@@ -44,10 +44,10 @@ private TokenCredential Credentials`
`44`	`44`	`if (_clientId == null)`
`45`	`45`	`{`
`46`	`46`	`// Local development scenario. Use the default credential.`
`47`		`- return new DefaultAzureCredential();`
	`47`	`+ return new DefaultAzureCredential(); // CodeQL [SM05137] This is not a security issue as this is for local development only.`
`48`	`48`	`}`
`49`	`49`
`50`		`- return new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = _clientId });`
	`50`	`+ return new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = _clientId }); // CodeQL [SM05137] This is not a security issue since this is only used for pipeline builds.`
`51`	`51`	`}`
`52`	`52`	`}`
`53`	`53`
Original file line number	Diff line number	Diff line change
`@@ -394,7 +394,7 @@ private static TokenCredential CreateDefaultCredential(AzureBlobEgressProviderOp`
`394`	`394`	`credOptions.ManagedIdentityClientId = options.ManagedIdentityClientId;`
`395`	`395`	`}`
`396`	`396`
`397`		`- return new DefaultAzureCredential(credOptions);`
	`397`	`+ return new DefaultAzureCredential(credOptions); // CodeQL [SM05137] Guidance here is to ensure that credential lookup is deterministic by using an environment variable. We accomplish this through settings and only including Managed Identity and Workload credentials, and do not want to introduce a breaking change.`
`398`	`398`	`}`
`399`	`399`
`400`	`400`	`private static DefaultAzureCredentialOptions GetDefaultCredentialOptions() =>`